I am currently running through some POC work with FIM 2010 Sync Service. I will not be using anything but the Sync Service due to cost (no Portal). What I am trying to accomplish is to have a flow something like the below HR Data à CS à MV · Sample Attributes: UserName, Job Code, Status (active, terminated, etc.) · Flowed into MV 1 to 1 MV à CS à ApplicationX (SQL Table) · UserName, ApplicationXRoleName, ApplicationXStatus (Active, Disabled) · MV Extenstion to provision ApplicationX account based on jobcode and status · Based on Job Code the user’s ApplciationXRoleName will be set to the appropriate application status · Based on MV Status the user’s ApplicationXStatus will be set to the appropriate application status All the above works well and the users are enabled, disabled and Roles updated appropriately as the users Job Code and Status change in the HR data. The problem I have is that ApplicationX also needs to support AD-Hoc Role management via its own web interface which allows a user to be added or modified directly in the ApplicationX Table. This could be to setup a one-off Role in the system for a user that needs access to the system when their job code typically should not have access (job codes are beyond our control and there is no other data to key off of). The problem is on the next import/sync the system staged an overwrite of the setting because FIM said hey this attribute isn’t what I set it to be and it needs updated. I have tried updating my rule extensions for the import and export to try and only import or export if the Job Code and/or Status changed, but have not had any luck and all changes made to the access via the application web interface are over written by the FIM MA. Anyone ever had to address a situation like this? I would expect there are several other applications/scenarios like this for other organizations that have had to work through. Any help/guidance is appreciated. Jon Kaloz

I think I may have a potential solution leveraging the manual precedence. I am trying to figure out how to handle the comparison logic now and will post sample code if i get it working (or if someone has some examples I would gladly take a look at them).Jon Kaloz

So if I follow, you want to essentially only flow ApplicationXRoleName if Job ode changes?My Book - Active Directory, 4th Edition My Blog - www.briandesmond.com

That is correct. In order to get around this I just setup an inbound attribute flow with a Rule Extension that essentually does not reinport the value into the connector space from the connected data (SQL table). This allows for the ad-hoc role management via the web interface, but also flows any role changes based on the Job Code changes when those changes do occur. This has the side effect that the verification on import is essentually side stepped, but still works. Perhaps there is a better way to look at the CS on import and provide more logic in the Rules extension based on the data? Not sure yet and still need to play around with this option.Jon Kaloz